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© A system is disclosed for completing commu* 

Snication connections from end-users served by a 
connectionless (broadcast) type system in a manner 
which allows expansion of the calling area beyond 
the immediate physical limitations of the broadcast 
<D media. 

^ The system is based upon a device for mediat- 
ors between the connectionless system and a con- 
COnection oriented system. The device creates logical 
q local area networks interconnactabfe by the connec- 
tion oriented system. Calling user identification is 
used in conjunction with call completion data stored 
in a central memory for controlling ail interconnec- 
tions. 
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VIRTUAL LOCAL AREA NETWORK 



Background of the Invention 

This invention relates to local area networks 
and, more particularly, to an arrangement whereby 
a broadcast oriented system can be used in con- 
junction with a connection oriented system. 

In communication systems there are basically 
two types of systems, namely, connectionless and 
connection oriented. Connectionless systems are 
broadcast oriented such that every end-system 
monitors ail transmissions and responds when it 
"hears" its own address. In a connection oriented 
system a calling end-system calls (using some 
code) a called end-system and the network acts to 
establish a communication linkage between the 
calling and called systems. The typical telecom- 
munication system (when the end-systems are 
telephones) operates in the connection oriented 
. mode. 

One use of connectionless (broadcast) systems 
is for establishing Locar Area Networks (LANs) 
where a number of end-systems, such as host 
computers and personal computers (PCs), can be- 
come "connected" for the interchange of data. 
However, since connectionless LANs are inherently 
limited in size, confined to a local area, and difficult 
to move or re-configure due to the nature of the 
broadcast media, it is often desired to take the 
features of a connectionless LAN and emulate 
them with a connection oriented network. However, 
the services and features provided by a typical 
connectionless LAN, e.g., datagram services and 
name services, rely on the broadcast nature of the 
network where every end-system monitors all 
transmissions. Thus, these services do not inher- 
ently work in a connection oriented network be- 
cause in such networks communications are only 
directed to particular end-systems and are not 
broadcasted to all end-systems. 

A problem in a connectionless LAN is that, 
while any end-system on the LAN can commu- 
nicate with any other end-system on the LAN, they 
do so with no security control. Thus, it is a desir- 
able feature to add security to a connectionless 
network such that calls between end-systems are 
authorized before completion. 

A further problem with connectionless LANs is 
their limited bandwidth since in such systems ev- 
ery transmission is monitored, thereby requiring 
every end-system active on the LAN to process 
large amounts of otherwise useless data in order to 
determine which transmissions are destined for it 

One solution to these problems has been to 
provide a centralized process within the connection 



oriented system that acts as a server to each end- 
system. Each end-system is then connected to the 
server via a special connection, referred to as an 
umbilical connection, over which the end-system 

5 and the server communicate with one another. The 
server relies upon both administered information 
(information stored in the server) and information 
that is dynamically on a connection-by-connection 
basis obtained from each end-system in order to 

jo accept data transmissions from the end-systems 
over the umbilical connections. When appropriate, 
the server directs data transmissions to specified 
destination end-systems over the umbilical connec- 
tions. Based on dialogues carried out over these 

js umbilical connections, the server also mediates the 
establishment of direct connections between end- 
systems. Thus, it is the server that controls the 
communication between all end-systems. 

This, however, only solves part of the problem. 

20 There remains the problem that the server does 
not know the identity of the end-systems. 



Summary of the Invention 

25 

Our invention takes advantage of the calling 
party ID features and the wide area networking 
(WAN) capabilities of the Integrated System Digital 
Network (ISDN). Using our system, the server as- 

30 sociates the calling party ID of an end-system with 
the umbilical connection that the end-system sets 
up with the server. Thus, the server is able to keep 
track of each end-system's "identity'' an can asso- 
ciate a message sent over an umbilical connection 

35 with the end-system that sent the message. Using 
this mechanism, the server can provide centralized 
support for name services, datagram services, and 
can also mediate virtual circuit connections be- 
tween end-systems. The WAN capabilities of ISDN 

40 are accordingly used to "stretch" these LAN fea- 
tures to other physical locations. 

With these capabilities, the limitations of a con- 
nectionless LAN are overcome by the connection 
oriented LAN. First the size of a connection ori- 

45 ented LAN is not restricted in the same way that a 
connection fess LAN is limited, i.e.. by the prop- 
erties of the broadcast media. Second, the connec- 
tion oriented LAN is not limited to a local area by 
virtue of the fact that different physical locations 

so can be interconnected in the traditional manner via 
a public or private telephone switch. 

In our system, a virtual LAN is created in 
memory in the server process. The names of one 
or more virtual LANs are defined in the server 
process along with the "identity" (i.e., Calling Party 
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ID) of each end-system in each virtual LAN. Thus, 
the set of end-systems is logically partitioned into 
many virtual LANs by simply providing the appro- 
priate software definitions to the centralized server 
process. Bid-systems can be added to. or deleted 
from, virtual LANs by simply changing the defini- 
tions within the server process. No physical move* 
ment of the end-systems is necessary. Thus, an 
end-system participates in a single virtual LAN by 
specifying the name of that virtual LAN when it 
attempts to establish an umbilical connection to the 
server. An end-system cannot set up an umbilical 
connection to the server if 1) it has not been 
"authorized" to do so by having its "identity" de- 
fined to the * server, and/or 2) it has not been 
"authorized" to do so by having been defined to 
the server as one of the end-systems that can 
participate in the virtual LAN whose name it speci- 
fied when attempting to set up the umbilical con- 
nection. 

The centralized server mediates the establish- 
ment of all calls between end-systems in the set of 
virtual LANs and, in the process of doing so, pro- 
vides a security function. Recall that the server 
knows the "identity" of an end-system (as asso- 
ciated with that enoSsystenVs umbilical connec- 
tion). Therefore, when an end-system indicates that 
it wishes to establish a connection to another end- 
system, the server can carry out a detailed verifica- 
tion scheme in order to determine whether the call 
should and can be carried out If so, the server 
- then performs a function that "authorizes" the call 
by generating a unique security code which is then 
supplied to the calling end-system and to the 
called end-system. As part of the establishment of 
the call between the two end-systems, the end- 
systems exchange the security code and compare 
them for correctness. Thus, a call- from one end- 
system to another that has not first been 
"authorized" by the server will not succeed. End- 
systems are thus prevented from making 
"unauthorized" calls to other end-systems. 

The centralized server reduces bandwidth 
problems by virtue of the fact that it handles the 
call establishments of all end-systems by directing 
the call establishment to the proper end-system. 
Thus, an end-system has only to keep track of its 
own name or names- and is not responsible for 
having to receive and handle numerous transmis- 
sions destined for other end-systems. 

An end-system that wishes to send a datagram 
message to a multiple of end-systems sends one 
copy of that message to the server. The server 
then distributes the message only to the end-sys- 
tems that were specified as the destinations. Con- 
trast this to a connectionless network in which the 
message must be received by all end-systems 
regardless of which of those end-systems are the 



true "destinations 0 of the message. 

In addition, the server, in performing the call 
mediation services, also: determines that the call- 
ing end-system is not an intruder, determines 

5 whether the called end-system is active 0-©-. has 
an umbilical connection), determines whether the 
called end-system is authorized to accept a call 
from the calling end-system, and determines 
whether the two end-systems have compatible soft- 

io ware or protocols. Thus, the server can prevent 
needless call attempts between incompatible end- 
systems. By performing all of these services, the 
server effectively reduces the processing workload 
of the end-systems, thereby increasing bandwidth 

is capability of the entire network. 



Brief Description of the Drawings 

20 These and other objects and features, together 
with the operation and utilization of the present 
invention, will be more apparent from the illustrative 
embodiment shown in conjunction with the draw- 
ings in which > : 
25 FIG.1 shows a virtual Local Area Network 

using our central server, 

F1G.2 shows a flow chart of the umbilical 
connection establishment process, 

FIG.3 shows a flow chart of the call set up 
30 process, 

F1G.4 illustrates the umbilical connections to 
the central virtual LAN server, 

FIG. 5 shows a typical prior art Local Area 
Network, 

35 F1G.6 shows a typical server database or- 

ganization, and 

FIG.7 shows a typical VLAN server name 

table. 

40 

Detailed Description 

Turning now to FIG.1. there is shown a switch- 
ing control system, such as PBX 10, with a number 
45 of end-systems, such as PCs 120A, 120B, 121 A, 
121B, and 122, and computers, such as 3B2 and 
111, connected via ports, such as ports 1 05-1 06 to 
bus 1 20, such as a packet bus. located within PBX 
10. Also connected to bus 120 is call processor 
so 101, virtual local area network (VLAN) server 102 
and administration unit 1 03. 

Illustrating the type of PCs and computers that 
could be connected to bus 120. we have shown 
PCs 120A, 120B, 121 A, 121 B, and 122, and com- 
as puters 3B2 and 111. PCs 120A and 120B are daisy 
chained together, in well-known fashion as are 
computers 121 A and 121B, 122 and 3B2. Also 
shown is a network extension unit 107 which con- 
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nects multiple daisy chains together. The operation 
of this unit is also well-known. 

PCs 120A 120B, 121A, 121B. 122, computer 
382 and the network extension unit 107 are con- 
nected to the mbit port 105 on system 10 via the 
IEEE 802.3 1 megabit medium, the specifications 
for which are contained in the IEEE 802.3 1 Base 5 
Specifications. End-systems 120 A, 120B. 121 A, 
121B. 122 and 3B2 can be any type of equipment 
However, the embodiment shown utilizes the pro- 
cessing capabilities of these end-systems, thus 
ideally, these end-systems could be PCs, such as 
AT&T PC 6300s, AT&T UNIX PCs and AT&T 3B2 
computers. 

Host computers, such as computer 11 1, are 
connected to the ISDN/DMI port 106 via the DMI 
medium. The specifications for the DMI interface 
are contained in the "Digital Multiplexed Interface" 
specification available from AT&T, which publica- 
tion is well-known In the art 

End-systems such as AT&T PC 6300 require 
an interface card such as the AT&T STARLAN 
network access unit and the software driver that 
these , end-systems would use to provide VUAN 
functionality is DMI Mc<te 3, with a NETBIOS inter- 
face and I^DN signaling for call control. The speci- 
fications for NETBIOS are contained in the IBM PC 
Network Technical Reference, which publications is 
also well-known in the art The ISDN signaling 
message set is detailed in "ISDN Primary Rate 
Interface Specification, " published by AT&T, dated 
March 1985, which is yet another well-known pub- 
lication. 

End-systems such as the AT&T UNIX PC and 
computers such as AT&T 3B2 also require an 
interface card such as the AT&T STARLAN net- 
work access unit In addition, the drivers in these 
units would use DMI Mode 3. ISDN signaling and 
the UNIX Transport Level Interface (UTU) to pro- 
vide VLAN functionality. The specifications for UTLI 
are well-known and are contained in "AT&T UNIX 
System V Network Programmers' Guide." Issue 1 , 
copyright 1986 (DOC 307230). available from 
AT&T. 

Computers, such as DMI host 111, require a 
DMI interface and drivers that use DMI Mode 3 and 
ISDN signaling to provide VLAN functionality. A 
NETBIOS or a UTLI interface can be used, de- 
pending on the computer. 

For control purposes VLAN server 102 is a 
software process that resides in system 10. A call 
processor 101 and administration processor 103 
are also required. VLAN server 102 can run on 
either call processor 101 or administration proces- 
sor 103. 

In order for the participating end-system to be 
part of a VLAN, an umbilical connection has to be 
set up between the end-system and the VLAN 
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server. 

The umbilical connection allows the end-sys- 
tem to obtain calling information from the VLAN 
server. The end-systems call each other by names, 
s The system manages calls by telephone numbers. 
Thus, when an end-system wants to call another by 
name, it asks the VLAN server over the umbilical i 
connection for the telephone number of the des- 
tination. 

fo Similarly, end-systems can add and delete 
names for themselves. The VLAN server keeps 
track of these names and associates them with the 
correct telephone numbers. FIG.7 illustrates the 
name to telephone number association. 

s Finally, since datagram services requires no 

call set up, the VLAN server has to handle datag- 
rams by sending them along umbilical connections. 
The calling end-system sends a datagram to the 
VLAN server via its umbilical connection, and the 
so VLAN server puts it on the destination umbilical 
connection. 



VLAN Partitioning 

25 

The VLAN server, therefore, has complete con- 
trol of which end-systems are allowed to be on the 
VLAN. Further, through administration, the VLAN 
server can partition end-systems into separate vir- 
30 tual LANs. An end-system can belong to more than 
one logical LAN. FIG.4 illustrates how this is ac- 
complished. 

In FIG.4, PCs 410 and 412 have been defined 
to be members of virtual LAN A (shown with a 
35 uniformly dashed line). PCs 411. 412 and 413 and 
computer 409 have been defined to be members of 
virtual LAN B (shown with a long and short dashed 
line). These definitions were provided to server 407 
through switch administration 408. The definitions 
40 are maintained by server 407 in its database as 
shown in FIG.6. 

Note that end-system 412 is defined to be a 
member of both virtual LAN A and virtual LAN B. 
End-system 412 may thus participate in connec- 
ts tions via both LANs, but can only participate in 
connections one at a time. 

The end-system specifies in which of the vir- 
tual LANs that it wishes to participate at the time it 
establishes an umbilical connection. Thus, an urn- 
so bilical connection is directly associated with a par- 
ticular virtual LAN defined within server 407. In the 
illustration shown, end-system 412 could be partici- 
pating in virtual LAN A. At any given time, end- 
system 412 may tear down its umbilical connection 
55 for virtual LAN A, thus terminating its participation 
in that virtual LAN, and it may then set up an 
umbilical connection for virtual LAN B in order to 
participate in that virtual LAN. 
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An end-system which has not set up an umbili- 
cal connection will not be able to participate in a 
LAN. bi this state, it cannot request any broadcast 
services, such as name services or datagram ser- 
vices, from VLAN server 407. Additionally, server 
407 will not forward any data to it from other end- 
systems and will prevent other end-systems from 
attempting to call it End-systems can send special 
instructions, such as "not active," to the server. 
Communications will not be sent to an end-system 
while such an instruction Is present in the server. 

Any end-system may be added to one or more 
virtual LANs which are known to server 407 or may 
be deleted from a virtual LAN. For example, end- 
system 41 1 may be deleted from virtual LAN 8 and 
added to virtual LAN A simply by instructing switch 
tdm mi strati on 408 to update the database of server 
407. 

FK5.5 serves to illustrate the difference be- 
tween virtual LANs and prior art stand-alone LANs. 
* thm figure, end-systems 610 and 612 are mem- 
ber! o* LAN A. End-systems 611. 613 and 614 are 
m#mbi i of LAN B. This membership is implicit in 
r»e fact tiat the end-systems are physically at- 
tached to those LANs. Whether or not the end- 
fystams are participating in their respective LANs 
depend s solely upon whether they are powered-up 
and running the appropriate network Interface soft- 
ware. Thus, each end-system is a member of one 
LAN because each end-system is attached to only 
one LAN. In order to move an end-system from 
one LAN to the other, the physical connection must 
be changed, implying that the end-system probably 
must be moved. 



VLAN Security 

In order to prevent end-systems from dialing 
each other without the knowledge of the VLAN 
server, the following security code scheme is used, 
as discussed with respect to F1G.3 of the Call Set 
Up Sequence: 

During name service call set up, the VLAN 
server sends a randomly generated unique security 
code SEC — C0DE to the destination, which is 
saved by the destination driver. 

The VLAN server then sends the SEC CODE 

to the calling end-system, whose driver then sends 
the SEC__C0DE to the destination driver, who 
checks to see if it matches with the one it received 
from the VLAN server earlier. If it matches, the call 
is allowed. 



VLAN Brokerage 

In addition, since the VLAN server knows the 
status of all end-systems, It can police call set ups 
5 by cutting down unnecessary attempts when the 
destination has not posted a LISTEN, I.e.. the des- 
tination is not active. This is illustrated in process 
302 in FIG.3: Call Set Up Sequence. 

10 

Umbilical Connection EstabBshmerrt 

RG.2 illustrates the sequence of high-level 
steps performed to establish an umbilical connec- 
ts tion between an end-system and VLAN server 102 
(FIG.1). 

The virtual LAN Mode 3 NETBIOS driver in the 
end-system (such as PC 110, RG.2) starts up and 
does some initialization, e.g., establishes the sig- 

ao naling link between itself and PBX Call Processing 
over which virtual circuit connection establishment 
is carried out, as shown in process 201. The end- 
system places a call to VLAN server 102 using 
alphanumeric dialing, as shown in process 202. 

25 The alphanumeric dial string that is supplied in a 
symbolic name for the virtual LAN in which the 
end-system wishes to participate. 

Call Processing 101 (FIG .2) translates the al- 
phanumeric dial string into the associated exten- 

30 sion number for that virtual LAN (as defined 
through the switch administration software contain- 
ed in unit 103, F1G.1). It recognizes the extension 
number as one to which server 102 will respond. 
Call processing 101 then sends a message to 

35 server 102 to inform It that a call destined for it has 
been requested. Within the message, as shown in 
process 203. call processing supplies the extension 
number of the calling end-system as the Calling 
Party ID and the translated extension number as 

40 the Called Party ID in order to identify the origin 
and destination of the requested call. 

Server 1 02 facility checks process 204 to see if 
the calling end-system identified by the Calling 
Party ID is a valid member of the virtual LAN 

45 specified by the Called Party ID, again, as defined 
through the switch administration software. If so, 
server 102 responds, process 205, to call process- 
ing 101 that it will accept the call. Otherwise, the 
server responds that the call is to be rejected. 

so In this example, the calling end-system has 
been defined to be a member of the virtual LAN in 
which it is attempting to participate. Server 102 
sends a call acceptance message, process 205, to 
call processing, which in turn sends a call connect 

55 message, process 206, to the end-system which 
indicates that the call has been accepted and that a 
physical connection has been set up. 

Software layers in the end-system driver and in 
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the PBX*s communications support processes 207. 
208, 209 and 210, carry out dialogues with one 
another on a layer-to-layer basis, called 
"handshaking," to verify that like-layers are com- 
patible and to establish communication between 
the like-layers. First a handshake is performed 
between the data link layer (level 2) software, pro- 
cess 207, in the end-system and in the PBX. Then, 
a handshake, process 208. is performed between 
the network layer (level 3) software in the end- 
system and in the PBX At this point, the virtual 
circuit connection that Is to become the umbilical 
connection is established. 

Prior to carrying out virtual LAN message ex- 
changes over the virtual circuit connection, a hand- 
shake, process 209. must be performed between 
server 102 and the layer of the end-system driver 
that handles virtual LAN messages in order to 
verify their compatibility. The end-system is re- 
sponsible for sending a handshake message to the 
server which conveys the software version and 
release numbers of the end-system driver. 

Server 102 compares the end-systems's driver 
version and release numbers with its own version 
and release numbers. In this example, the numbers 
are compatible and so the server sends the end- 
system a reply message, process 210, in response 
to the handshake message indicating that the 
handshake is successful. At this point, the umbilical 
connection has been successfully established. 

Next, as shown in process 21 1 , the end-system 
and the server may exchange virtual LAN mes- 
sages with one another to carry out name services, 
datagram services, and call mediation services, etc. 



Name Service and Call Set Up 

Once the umbilical connection is set up, an 
end-system can make calls to other end-systems 
on the same LAN. with the help of VLAN server 
102 without going through the rigorous umbilical 
connection set up procedure. 

F1G.3 illustrates the sequence of high-level 
steps performed to set up a virtual circuit connec- 
tion and establish a session between two end- 
systems participating in the same virtual LAN. 

The virtual LAN Mode 3 NETBIOS driver in 
end-system 110, as indicated by its name, pro- 
vides a NETBIOS interface to which application 
programs can issue network-related commands. In 
order to initiate a call to another end-system, an 
application in the origin end-system issues a CALL 
command, process 301, to the NETBIOS interface 
of the driver. Two of the parameters specified in 
the CALL command are the name of the origin 

(FROM NAME) placing the call and the name of 

the destination (TO NAME) to which the call is 



directed. 

In order to indicate to the driver that it wishes 
to receive a call from another end-system, an ap- 
plication on destination end-system 120A issues a 
s LISTEN command, process 302. to the NETBIOS 
interface of the driver. Two of the parameters 
specified in the LISTEN command are the name of 

the origin (FROM NAME) from which the call will 

be accepted and the name of the destination 

70 (TO_NAME) that wishes to receive the call. 

The driver in the originating end-system ac- 
cepts the CALL command and sends an S_CAU_ 
process 303, message to server 102. The S_CALL 
message carries TO_NAME and FROM NAME 

is as specified in the CALL command. 

Upon receipt of the S_CALL message, server 
102 performs some verification steps (e.g., is the 
origin name really a member of the virtual LAN 
associated with the umbilical connection over which 

so the message was received?; is TO — NAME known 
in this virtual LAN?; are the version and release 
numbers of the . drivers at the two end-systems 
compatible?; etc.). If server 102 verifies that the 
call request can and should be attempted, it sends 

25 a UST_QUERY message, process 304. to destina- 
tion 120A. The purpose of the UST_ QUERY is to 
determine if that end-system has issued a LISTEN 
specifying TO_ NAME as the destination name and 
FROM__ NAME as the origin name. 

30 An important piece of information that the serv- 

er 102 includes in the LIST__ QUERY is a unique 
security code (SEC__CODE) that is associated spe- 
cifically with this particular call request The driver 
in destination end-system 1 20A receives the 

35 UST__ QUERY and checks to see if there is an 
outstanding LISTEN command that specifies 
TO — NAME as the destination name and 
FROM_NAME as the origin name. In this example, 
it finds the outstanding LISTEN. The driver saves 

40 the SEC_CODE from the LIST__ QUERY in antici- 
pation of receiving the call. The driver then sends, 
process 305, a reply to the UST^QUERY 
(RP_UST_QUERY) that contains a return code 
indicating that an outstanding LISTEN was found 

45 and, therefore, that the call request is acceptable. 

Server 1 02 receives the positive 

RP LIST QUERY and sends a reply, process 

306, to the S_CALL (RP_ S_CALL) to calling 
end-system 110, The RP — S_CALL contains a re- 
st) turn code indicating that the requested call can be 
attempted. 

Server 102 includes two important pieces of 
information in the RP_S_CALL. One is the exten- 
sion number for destination end-system 120 A that 
55 calling end-system 110 must dial in order to set up 
the call. The second is the unique security code 

(SEC CODE) that was generated and included in 

the LIST QUERY sent to the destination end-sys- 
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tem. 

The driver in calling end-system 110 receives 

the positive RP S_CALL and dials, process 307, 

the indicated extension number in order to set up 
the physical connection to destination end-system 
120 A 

Destination end-system 120 A answers and ac- 
cepts the call via process 308, and the data link 
layers as discussed with respect to FIG.2 of the 
two end-system drivers handshake, process 309. 
This is followed by handshaking between the net- 
work layers of the two end-system drivers, process 

310. At this point the virtual circuit connection has 
been successfully established and calling end-sys- 
tem 110 driver then sends a message, process 

311. to request a session (REQ SES) to the des- 
tination end-system over the virtual circuit connec- 
tion. The REQ SES contains the SEC CODE 

generated for this call by server 102. 

Destination end-system 120 A driver receives 

the REQ SES message and compares the 

SEC CODE contained within it with the 

SEC — CODE saved from the UST QUERY for this 

call. In this example, the two codes match and so 
the destination end-system accepts the session 
request At this time.' the destination end-system 
drv/er notifies, process 312. the application that 
issued the LISTEN that the LISTEN has completed 
successfully by sending a reply, process 313, to 

the REQ SES (RP_REQ_SES) to the calling 

end-system. The RP REQ_SES contains a return 

code that indicates that the session is accepted by 
the destination end-system. 

The origin end-system driver receives the posi- 
tive RP REQ SES and notifies the application. 

process 314, that issued the CALL that the CALL 
has completed successfully. The applications on 
the two end-systems can now exchange data by 
issuing the appropriate data transfer and receive 
commands, process 315. to the NETBIOS interface 
of their respective drivers. 



Claims 

1 . A device for controlling communications be- 
tween a plurality of end-systems (120A, 120B, 
121A, 121B, 122, 3B2, 111), said device 
CHARACTERIZED BY 

means (102, FIG. 6) for establishing at least one 
group of end-systems, each established group 
identifying each end-system authorized to be a 
member thereof, 

means (101. 102, 202, 203) for receiving first in- 
formation from a calling one of said end-systems, 
said first information including an identification of 
this end-system and a request for membership in 
one established group, 



means (102, 204-210) responsive to said first in- 
formation and to said established group for grant- 
ing said request if and only if said calling end- 
system Is an authorized member of the group 

5 requested, and 

means (102, 303) responsive to second information 
from said calling end-system and to the granting of 
said request for controlling communications be- 
tween this calling end-system and a called one of 

to said end-systems identified in said second informa- 
tion. 

2. The device of claim 1 
CHARACTERIZED IN THAT 
said controlling means couples communications 

75 between said calling and called end-systems if an 
only if these end-systems are within a single group. 

The device of claim 1 
CHARACTERIZED IN THAT 
said communication controlling means prevents 

20 communications between said calling and called 
end-systems when these end-systems are- within 
different groups. 

4. The device of claim 1 further 
CHARACTERIZED BY 

25 means (102, 305, 306) for determining whether 
there is communication compatibility between said 
calling and called end-systems and for preventing 
communications between calling and called end- 
systems if a communication incompatibility exists. 

30 5. The device of claim 4 

CHARACTERIZED IN THAT 

said communication incompatibility results from un- 
like communication establishment protocols. 

6. The device of claim 1 
36 CHARACTERIZED IN THAT 

said second information includes an identification 
of other called ones of said end-systems and said 
controlling means controls communication between 
said calling end-system and said other called end- 
40 systems. 

7. The device of claim 1 
CHARACTERIZED IN THAT 

said establishing means includes means (103) for 
specifying at least one group as an authorized 
45 group for each of said end-systems. 

8. The device of claim 1 
CHARACTERIZED IN THAT 

said controlling means includes means (102. 304, 
306) for sending special instructions pertaining to 
so communications between said calling and called 
end-systems, said special instructions pertaining to 
communication completion. 

9. The device of claim 8 
CHARACTERIZED IN THAT 

55 the special instructions sent to said calling and 
called end-systems are identical. 
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10. The device of claim 1 further 
CHARACTERIZED BY 

a communication switch (10) operating in a connec- 
tion oriented mode. 

means (105. 106) for connecting said connection 

oriented switch to said end-systems which operate 

in a connectionless mode, and 

means (120) for connecting said switch to said 

device. 
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FIG. 2 

ESTABLISHING UMBILICAL CONNECTION 
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FIG. 3 
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FIG. 6 
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